openssl_personal_cas.cnf

# Copyright © 2017 Alessandro Menti
#
# This file is licensed under the terms and conditions of the MIT license.
# See the LICENSE file for more details.

# OpenSSL configuration file for personal certificate CAs.

oid_file = additional_oids

[ca]
default_ca = personal-emailvalidated_ca

[req]
default_bits = 4096
default_md = sha256
string_mask = utf8only
distinguished_name = req_dn

[req_dn]
givenName = "First name"
surname = "Surname"
organizationName = "Organization name"
streetAddress = "Street address"
localityName = "Locality"
stateOrProvinceName = "State or Province"
postalCode = "ZIP code"
countryName = "Country"
countryName_min = 2
countryName_max = 2

# ----------------------------------------------------------------------------
[personal-emailvalidated_ca]
dir = ./personal-emailvalidated
database = $dir/index
serial = $dir/serial
crlnumber = $dir/crlserial
certificate = $dir/personal-emailvalidatedca.cer
private_key = $dir/personal-emailvalidatedca.pvk
new_certs_dir = $dir/newcerts

# Choose SHA-256 as the hash algorithm.
default_md = sha256

# Make certificates valid for a year and CRLs valid for seven days.
default_days = 365
default_crl_days = 7

# To ease key rollover, allow certificates to have the same Subject DN and be
# valid at the same time.
unique_subject = no
# Only add the DN components/extensions we specify here to the issued
# certificates.
preserve = no
copy_extensions = none
email_in_dn = no
policy = personal-emailvalidated_dn_policy
# Show (almost all) details when signing a certificate request.
name_opt = ca_default
cert_opt = ca_default

x509_extensions = personal-emailvalidated_certificate_extensions
crl_extensions = personal-emailvalidated_crl_extensions

# Extensions for personal, e-mail validated certificates.
[personal-emailvalidated_certificate_extensions]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth,emailProtection
# Replace the e-mail address here
subjectAltName = critical,email:example@example.com
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# Replace the URLs here
authorityInfoAccess = OCSP;URI:http://myca.example.com/ocsp/personal-emailvalidatedca,caIssuers;URI:http://myca.example.com/repository/personal-emailvalidatedca.cer
crlDistributionPoints = URI:http://myca.example.com/repository/personal-emailvalidatedca.crl
# If you are following the validation practices mandated by the CA/Browser
# Forum, add "cabBRDomainValidated" to the line below.
certificatePolicies = @polsect

[personal-emailvalidated_dn_policy]
# Do not trust anything

[personal-emailvalidated_crl_extensions]
# Replace the URL here
authorityInfoAccess = caIssuers;URI:http://myca.example.com/repository/personal-emailvalidatedca.cer
authorityKeyIdentifier = keyid:always
# ----------------------------------------------------------------------------
[personal-individualvalidated_ca]
dir = ./personal-individualvalidated
database = $dir/index
serial = $dir/serial
crlnumber = $dir/crlserial
certificate = $dir/personal-individualvalidatedca.cer
private_key = $dir/personal-individualvalidatedca.pvk
new_certs_dir = $dir/newcerts

# Choose SHA-256 as the hash algorithm.
default_md = sha256

# Make certificates valid for a year and CRLs valid for seven days.
default_days = 365
default_crl_days = 7

# To ease key rollover, allow certificates to have the same Subject DN and be
# valid at the same time.
unique_subject = no
# Only add the DN components/extensions we specify here to the issued
# certificates.
preserve = no
copy_extensions = none
email_in_dn = no
policy = personal-individualvalidated_dn_policy
# Show (almost all) details when signing a certificate request.
name_opt = ca_default
cert_opt = ca_default

x509_extensions = personal-individualvalidated_certificate_extensions
crl_extensions = personal-individualvalidated_crl_extensions

# Extensions for personal, individual validated certificates.
[personal-individualvalidated_certificate_extensions]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth,emailProtection,adobeAuthenticDocumentsTrust,kpDocumentSigning
# Replace the e-mail address here
subjectAltName = email:example@example.com
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# Replace the URLs here
authorityInfoAccess = OCSP;URI:http://myca.example.com/ocsp/personal-individualvalidatedca,caIssuers;URI:http://myca.example.com/repository/personal-individualvalidatedca.cer
crlDistributionPoints = URI:http://myca.example.com/repository/personal-individualvalidatedca.crl
# If you are following the validation practices mandated by the CA/Browser
# Forum, add "cabBRIndividualValidated" to the line below.
certificatePolicies = @polsect

[personal-individualvalidated_dn_policy]
givenName = supplied
surname = supplied
localityName = supplied
stateOrProvinceName = optional
postalCode = optional
countryName = supplied

[personal-individualvalidated_crl_extensions]
# Replace the URL here
authorityInfoAccess = caIssuers;URI:http://myca.example.com/repository/personal-individualvalidatedca.cer
authorityKeyIdentifier = keyid:always
# ----------------------------------------------------------------------------
[personal-organizationvalidated_ca]
dir = ./personal-organizationvalidated
database = $dir/index
serial = $dir/serial
crlnumber = $dir/crlserial
certificate = $dir/personal-organizationvalidatedca.cer
private_key = $dir/personal-organizationvalidatedca.pvk
new_certs_dir = $dir/newcerts

# Choose SHA-256 as the hash algorithm.
default_md = sha256

# Make certificates valid for a year and CRLs valid for seven days.
default_days = 365
default_crl_days = 7

# To ease key rollover, allow certificates to have the same Subject DN and be
# valid at the same time.
unique_subject = no
# Only add the DN components/extensions we specify here to the issued
# certificates.
preserve = no
copy_extensions = none
email_in_dn = no
policy = personal-organizationvalidated_dn_policy
# Show (almost all) details when signing a certificate request.
name_opt = ca_default
cert_opt = ca_default

x509_extensions = personal-organizationvalidated_certificate_extensions
crl_extensions = personal-organizationvalidated_crl_extensions

# Extensions for personal, organization validated certificates.
[personal-organizationvalidated_certificate_extensions]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth,emailProtection,adobeAuthenticDocumentsTrust,kpDocumentSigning
# Replace the e-mail address here
subjectAltName = email:example@example.com
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# Replace the URLs here
authorityInfoAccess = OCSP;URI:http://myca.example.com/ocsp/personal-organizationvalidatedca,caIssuers;URI:http://myca.example.com/repository/personal-organizationvalidatedca.cer
crlDistributionPoints = URI:http://myca.example.com/repository/personal-organizationvalidatedca.crl
# If you are following the validation practices mandated by the CA/Browser
# Forum, add "cabBROrganizationValidated" to the line below.
certificatePolicies = @polsect

[personal-organizationvalidated_dn_policy]
organizationName = supplied
streetAddress = optional
localityName = supplied
stateOrProvinceName = optional
postalCode = optional
countryName = supplied

[personal-organizationvalidated_crl_extensions]
# Replace the URL here
authorityInfoAccess = caIssuers;URI:http://myca.example.com/repository/personal-organizationvalidatedca.cer
authorityKeyIdentifier = keyid:always
# ----------------------------------------------------------------------------
[polsect]
# Replace myCPSOID with the OID associated to your CPS.
policyIdentifier = 1.2.3.4
# Replace the following URL with the one pointing to your CPS.
CPS.1 = "http://myca.example.com/repository/cps.pdf"